NHS security 'slip-ups' highlight need for electronic health records

One fifth of data security breaches in the healthcare sector are the result of paper records being lost or stolen, according to figures obtained by Cable.co.uk.

A freedom of information request has revealed there were 701 breaches of security relating to patient data between April 2013 and March 2014 – of those 137 incidents (or 20%) involved loss or theft of paperwork. This was superseded only by “information disclosed in error” – which made up 21% of all cases.

These figures, obtained from the Information Commissioner's Office (ICO), contrast with the number of data breaches related to patient information stored that is online.

Just three of the 701 reported incidents were categorised as a “technical security failing (including hacking)”.

In addition, there was one incident relating to corruption or inability to recover electronic data, during the 12 month time period.

Earlier this month Dame Fiona Caldicott was appointed to the new role of national data guardian for health and care.

In a statement announcing the appointment, the Department of Health (DH) said: “Dame Fiona will oversee the safe use of people’s personal health and care information and hold organisations to account if there is any cause for concern, ensuring public confidence”.

Commenting on the number of data breaches involving paper records, a spokesperson for DH, which is leading the drive to digitised records, told Cable.co.uk: "Patient confidentiality is extremely important which is why we have just appointed the first National Data Guardian who will come down hard on any breaches of health and care data”.

Dame Fiona Caldicott could not be contacted for comment.

Commenting on the figures, IDC Health Insights research manager Silvia Piai said patients should be worried about the current use of physical records.

“Paper records are easily stolen, lost etc. but most importantly, digital [records] are easier to track who has had access to what, with paper it’s more difficult to investigate and detect violations.

“With paper records is very difficult to promptly take action, while digital allows you to automate certain parts of risk management and fraud detection systems.”

However, a spokesperson for the ICO argued that healthcare professionals need to handle both types of records more responsibly.

“The vast majority of the breaches we see are not down to sophisticated hacking attacks but relate to mistakes that can be seen, on one level, as simple human error.

“However, it is important that organisations across the health service have measures in place to mitigate against the risks of handling sensitive personal information.

“Making sure patients’ records are only accessed by trained staff, are stored securely after use and are destroyed once they are no longer required are all important considerations.

Alex Wyke, CEO of PatientView, who survey patient groups, agrees: "While the number of data breaches in the health sector far outstrips that of electronic records, paper based slip ups are more likely to relate to one individual's mistake whereas electronic ones could relate to many people at a time.

"That is why electronic security of e-based health records is so important."

The ICO highlighted a recent case where physical files were lost by a health authority: “We recently issued an enforcement notice to NHS Grampian after six incidents where papers containing sensitive personal information were misplaced before being returned to staff.

“The underlying problem in this instance was that the health board failed to keep a record of the information they held and the departments responsible for looking after it.

“This failing meant that further breaches were allowed to occur as the underlying problems continued to be overlooked.

“As with NHS Grampian, we will take enforcement action where it is clear an organisation is failing to look after people’s information.”

Between April 2013 and March 2014, the ICO received 14,738 data protection complaints. Of these 10% related to the health sector – the third highest sector behind money lenders (17%) and local government (12%).

The health sector is the third most complained about, but has reported the highest number of breaches to the office.

Health secretary Jeremy Hunt has committed to ensuring a paperless NHS and fully integrated digital patient records across NHS and social care services by April 2018.

Currently, NHS patients can ask for a Summary Care Record, which is an electronic record stored at a central location. Individual practices and parts of the social care system use their own digital record systems.